Bug 1462823
| Summary: | [DOCS] AWS configuration does not describe how to use IAM Roles | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> | |
| Component: | Documentation | Assignee: | Gaurav Nelson <gnelson> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jianwei Hou <jhou> | |
| Severity: | urgent | Docs Contact: | Vikram Goyal <vigoyal> | |
| Priority: | unspecified | |||
| Version: | 3.4.0 | CC: | aos-bugs, erich, jokerman, mmccomas, rcook | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1467508 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-07 01:08:26 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1467508 | |||
|
Description
Steven Walter
2017-06-19 15:53:08 UTC
So IAM roles must exist before launching the instances. The cloudformation configuration for creating the IAM role is:
"NodePolicy": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Policies": [
{
"PolicyName": "node-describe",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "*"
}
]
}
}
]
}
},
"MasterPolicy": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Policies": [
{
"PolicyName": "master-ec2-all",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"elasticloadbalancing:*"
],
"Resource": "*"
}
]
}
}
]
}
},
"MasterInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"DependsOn": "MasterPolicy",
"Properties": {
"Roles": [ { "Ref": "MasterPolicy" } ]
}
},
"NodeInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"DependsOn": "NodePolicy",
"Properties": {
"Roles": [ { "Ref": "NodePolicy" } ]
}
},
Is there anything you need to do on the openshift side? What do you put into aws.conf? On the openshift side all you need to provide is openshift_cloudprovider_kind: aws the installation will place an empty file in the location of the aws.conf and pass successfully Updated the example in the docs to include this information. See https://github.com/openshift/openshift-docs/pull/4645 Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/32eaf45f2126dcaadffd9a3c9e613c9ec1b72463 Merge pull request #4645 from gaurav-nelson/Bug1462823Fixes Bug#1462823 - Fixes
1. Is there a configuration option to override the expected name of the roles to assume? For example, is there a way in Openshift to not expect the default role names, but use an attribute named "RoleName" in the cloudformation configuration to specify the generated role name? Something like:
ADFSAgencyNetworkAdministratorsRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Federated: !Sub
- "arn:aws:iam::${accountId}:saml-provider/ADFS"
- accountId: !Ref "AWS::AccountId"
Action:
- "sts:AssumeRoleWithSAML"
Condition:
StringEquals:
SAML:aud:
- "https://signin.aws.amazon.com/saml"
RoleName: "ADFS-AgencyNetworkAdministratorsRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess"
- "arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess"
2. Can we be more precise in granting privileges. The ec2:* in the example you give may be a problem. If I need to set aws as the cloud provider but all I need is to dynamically assign Elastic Block Storage for persistent volumes, can I change ec2:* to a smaller list of permissions?
Updates are now live at https://docs.openshift.com/container-platform/3.5/install_config/configuring_aws.html Cloned this bug. To address the last comment please see https://bugzilla.redhat.com/show_bug.cgi?id=1467508. Based on https://bugzilla.redhat.com/show_bug.cgi?id=1452816#c21 this looks like this should not have been closed / completed. @Eric, Bug was about: > In the docs it says: "Note: IAM profiles may be used instead of storing API > credentials on disk." however there is no description as to what process to > take. This was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c6 and that is why the bug was closed. Then there was a follow up question https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c9 which was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1467508 The updates in https://docs.openshift.com/container-platform/3.7/install_config/configuring_aws.html addresses all issues. |